Microsoft to re-enforce March patch that owns Windows over RDP
Black Hat Asia Microsoft will soon prevent Windows from authenticating un-patched RDP clients to cap a March patch addressed a flaw that can allow lateral movement across a network from a compromised remote desktop protocol session.
CVE-2018-0886 allows remote code execution because Microsoft’s Credential Security Support Provider protocol (CredSSP), which lets an application delegate a user’s credentials from the client to the target server for remote authentication, does so before it checks the validity of a certificate. A man in the middle could therefore use the flaw to use good credentials to send a rogue certificate with a good public key to gain access to one machine.
From there, lateral movement across a network becomes possible and that’s just the sort of thing bad actors love.
The flaw was discovered by security company Preempt, which explained it the video below.
Microsoft’s documentation for the patch said “Mitigation consists of installing the update on all eligible client and server operating systems and then using included Group Policy settings or registry-based equivalents to manage the setting options on the client and server computers.”
“We recommend that administrators apply the policy and set it to ‘Force updated clients’ or ‘Mitigated’ on client and server computers as soon as possible.”
Cybercrooks are pimping out pwned RDP servers
The Microsoft advisory also mentions two planned actions to address the attack. On April 17th, 2018, an update to Microsoft’s RDP client “will enhance the error message that is presented when an updated client fails to connect to a server that has not been updated. And on May 8th, or perhaps later, “An update to change the default setting from Vulnerable to Mitigated” will arrive [Microsoft’s emphases – Ed].”
But Preempt personnel today told the Black Hat Asia conference in Singapore that the May patch will restrict use of un-patched RDP clients so that the vulnerability can’t be exploited. The firm’s people added that CVE-2018-0886 must be considered mitigated, not fixed, until the next Microsoft update, and that there’s a 60-day window for exploitation of the bug.
It therefore seems sensible to keep a close eye on May’s Patch Tuesday dump, not to assume that the March dump fixed the problem completely. It’s also worth looking for updates from vendors of third-party RDP clients, as they can also fall foul of this vulnerability. ®
Sponsored:
Minds Mastering Machines – Call for papers now open
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/23/cve_2018_0886_credential_security_support_provider_protocol/